Anatomy of an e-commerce Transaction

E-commerce stands for electronic commerce, which encompasses selling/buying things electronically Or to be precise over the internet. E-Commerce can be considered as important as the invention of the internet itself.

Obviously, commerce is all about money, in exchange for things people buy or sell. And e-commerce is no different, it leverages the fact that there are ways to transact money electronically over the internet. However, such transactions are very different from the routine one at a pos terminal in a brick and mortar establishment. Here seller cannot see the card or cardholder. They are simply not present there, which led to a significant rise in fraud. Hence the need for additional measures to prevent such frauds, by simply establishing the identity of the cardholder.

Visa took a step forward and introduced 3D Secure(3DS) authentication for e-commerce (known as Verified by Visa) transactions. Later same being followed by other Payment Schemes i.e; Mastercard (SecureCode), Amex (SafeKey), Diners (ProtectBuy) and so on.

3D in a 3D Secure transaction refers to three domains who gets involved in the process, i.e.; Issuer domain, Interoperability domain, and Acquirer domain. When an issuing bank participates in the 3D Secure program than the card issued can be enrolled in the 3DS program and will be able to undergo additional authentication while making an e-commerce purchase.

Let’s have a quick step by step view of how the transaction flows through these systems.

Anatomy of E-Commerce Transaction
3DS Transaction Flow

a) Buyer checkout on an e-commerce merchant portal and provide payment details (card number, expiry, cvv etc.). In an ideal scenario, the transaction should go to a payment gateway. However, in case of 3D Secure, there is a special system called Merchant Plug-In (MPI) which will first receive the transaction.

b) MPI, which could reside on the server hosting, merchant portal reaches out to the Directory Server another component typically managed by Payment Schemes) to find out whether the card and the card issuer to whom the card belongs, is enrolled for 3D Secure authentication.

c) If enrolled, MPI receives the address (URL) of the special system which presents in issuer domain, called Account Control Server(ACS) from Directory Service and reach out to ACS for Cardholder authentication.

d) ACS system does the authentication by asking the cardholder to input OTP or a password which was set while card enrolled for 3D secure.

e) ACS provides back the authentication result to MPI. MPI then decides and choose to send the transaction with additional information further to the Payment Gateway for processing.

f) Here onwards the transaction flow will be similar as of a routine transaction acquired at a pos terminal. Payment Gateway performs routine validation as part of transaction processing and forwards the transaction request further to Processor/Payment Scheme.

g) Payment Scheme forwards it further to the Issuer to process the transaction. Issuer’s authorization system verify additional 3D Secure data received. Once all the processing is done, the result goes back to MPI and eventually to merchant portal.


Initial version of 3D Secure has been very successful in dealing with the frauds, however, with the boom in m-commerce challenges and risk to grown significantly and hence new version 2.0 of 3DS has been introduced by EMVco, which primarily aims to consider and use the biometrics and tokens to make the whole ecosystem more robust and secure.